Re: [Gmod-ajax] log4j removal in apollo

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I don't know a good way to use the existing Docker image, you'd probably
have better luck cloning the Apollo repo, making some changes there, and
building your own docker image from scratch using the Dockerfile in the
repo.

As for what changes to make, you could possibly try the method under
"Alternative logging libraries" mentioned here
<https://grails.github.io/grails2-doc/2.5.x/guide/single.html#logging>.
Perhaps you can exclude the Log4J and not provide a replacement for it and
it still might build.

Best,
Garrett

On Wed, Jul 20, 2022 at 4:16 PM Justin Elser <jus...@or...>
wrote:

> Hi all,
>
> Our campus is requiring us to remove log4j from any sites before we make
> them public. I know that technically log4j 1.2 isn't vulnerable to the
> log4shell vulnerability, but they are still telling me the old version
> has different issues and must be removed.
>
> I know this was already discussed in
> https://github.com/GMOD/Apollo/issues/2640, so it looks like updating to
> log4j >=2.17 is not really being considered at this time, which I
> understand, looks like a lot of work.
>
> However, since we don't plan on using the logs in this way, we want to
> just remove it completely from our instance.
>
> I am hoping you can help me figure out the easiest/best way to remove it
> completely. Added complexity, we are using the docker image of it.
>
> This is a bit outside my wheelhouse, so I'm looking for help. I did try
> just removing the 3 log4j jar files I found, save it with a docker
> commit, but it appears to just re-install them the next time it is started.
> root@a90df9ffd565:/# locate log4j
> /var/lib/tomcat9/webapps/ROOT/WEB-INF/lib/grails-plugin-log4j-2.5.5.jar
> /var/lib/tomcat9/webapps/ROOT/WEB-INF/lib/log4j-1.2.17.jar
>
> /var/lib/tomcat9/webapps/ROOT/WEB-INF/lib/tomcat-embed-logging-log4j-7.0.70.jar
>
> So, how can I remove/disable log4j completely?
>
> Thanks,
> Justin
>
> --
> **********************************************************
> *                                                        *
> *  Justin Elser                                          *
> *  Computational Biology Research Associate              *
> *  Dept. of Botany and Plant Pathology                   *
> *  Jaiswal Lab                                           *
> *  Oregon State University                               *
> *                                                        *
> *  email: jus...@or...                   *
> *                                                        *
> **********************************************************
>
>
>
> _______________________________________________
> Gmod-ajax mailing list
> Gmo...@li...
> https://lists.sourceforge.net/lists/listinfo/gmod-ajax
>